Re: freebsd-security Digest, Vol 61, Issue 3

From: Neo-Vortex (root_at_Neo-Vortex.Ath.Cx)
Date: 06/07/04

  • Next message: Doug Barton: "Re: [Freebsd-security] Re: Multi-User Security"
    Date: Mon, 7 Jun 2004 16:10:46 +1000 (EST)
    To: Michael Vlasov <mv@rbr.ru>
    
    

    On Mon, 7 Jun 2004, Michael Vlasov wrote:

    > On Sat, 29 May 2004 12:00:52 -0700 (PDT),
    > <freebsd-security-request@freebsd.org> wrote:
    >
    > Hello !
    >
    > Today i see in snort logs :
    >
    > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
    > [Classification: Potentially Bad Traffic] [Priority: 2]
    > 06/07-09:44:39.044590 127.0.0.1:80 -> 10.6.148.173:1566
    > TCP TTL:128 TOS:0x0 ID:577 IpLen:20 DgmLen:40
    > ***A*R** Seq: 0x0 Ack: 0x75830001 Win: 0x0 TcpLen: 20
    > [Xref => http://rr.sans.org/firewall/egress.php]
    >
    > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
    > [Classification: Potentially Bad Traffic] [Priority: 2]
    > 06/07-09:44:39.075824 127.0.0.1:80 -> 10.6.249.83:1299
    > TCP TTL:128 TOS:0x0 ID:578 IpLen:20 DgmLen:40
    > ***A*R** Seq: 0x0 Ack: 0x568A0001 Win: 0x0 TcpLen: 20
    > [Xref => http://rr.sans.org/firewall/egress.php]
    >
    > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
    > [Classification: Potentially Bad Traffic] [Priority: 2]
    > 06/07-09:44:39.107072 127.0.0.1:80 -> 10.6.96.121:1032
    > TCP TTL:128 TOS:0x0 ID:579 IpLen:20 DgmLen:40
    > ***A*R** Seq: 0x0 Ack: 0x37920001 Win: 0x0 TcpLen: 20
    > [Xref => http://rr.sans.org/firewall/egress.php]
    >
    > Why ? ;-)

    Ok, that means that someone (or thing) is spoofing packets to your box
    (i know, and so does snort, that its spoofed because the source ip is
    127.0.0.1 and its coming in on an interface apart from lo0) this is
    sometimes used as a DoS attack (its one of those fun addresses to use as
    source addresses for them), although, by the looks of it (because theres
    multiple dst-ports being used), someone is using a program like nmap to
    portscan your host using a spoofed ip

    ~Neo-Vortex
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Doug Barton: "Re: [Freebsd-security] Re: Multi-User Security"